You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Michael Scheidell <sc...@secnap.net> on 2009/06/18 20:04:34 UTC
more mainsleeze spam
main sleaze, as in spam from larger, established, 'legit' companies. I
am seeing a 20% increase in spam that doesn't trigger any of the zombie,
forged, gappy or dialup list rules. Neither are they triggering SARES
or SOUGHT rules.
Looks like with the global downturn, many companies are turning to
'free' email marketing services to not only cut down on costs of
marketing, but to more quickly get the message out. Many more third
party email marketing companies are allowing questionable mailing lists
and are opting to keep the money and client rather then enforce their
posted terms of service.
Traditional outbound marketing would require people to make cold calls,
postcards or mailers send via snail mail. To reach 10,000 people via
cold call would take 100 people 10 days (well, they would 'reach' 1% of
them).
Postcards, US third class could take three weeks and cost around $1.00 each.
Main sleaze: as in DKIM SIGNED, NOT FORGED, SPF RECORDS MATCH, some
with and some without knowledge and adherence to the US Federal CAN-SPAM
laws.
Traditional SA methods of looking for forged headers, zombies, and
dialup networks doesn't help much. Neither does Bayesian filtering
since most of this new main sleaze spam is targeting the customers
vertical market anyway. Hardly any 'zombie/forged/trojan' originated
email ever gets past. These are actually very easy to identify.
Some blacklists and reputation filters help, but this is reactive, after
the fact, and usually after the company in question has finished their
spam runs. These emails are not using any evasion tricks, and are
usually directly send to one contact at a time with full username/email
address.
(Even had one yesterday from a competitor in the anti-spam market:
spammed us trying to sell their anti-virus client software :-).
Yes, our marketing and sales people beat us up about using these above
methods in our marketing, and even uploaded a 'questionable' list of
email addresses to one of our listservers. The temptation is great to
(ab)use email in this fashion.
Maybe I am stuck in 1994 when (most) people respected the net. Maybe I
react badly when one of these main-sleaze emails makes it past our
filters, but the good news is that they help us identify third party
email marketing companies that aren't careful about their clients.
What are you seeing? more main-sleaze spam, directly targeting your
company/ vertical market or clients? or aren't you seeing much of this?
--
Michael Scheidell, CTO
Phone: 561-999-5000, x 1259
> *| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot Company Award Winner, World Executive Alliance
* Five-Star Partner Program 2009, VARBusiness
* Best Anti-Spam Product 2008, Network Products Guide
* King of Spam Filters, SC Magazine 2008
_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.secnap.com/products/spammertrap/
_________________________________________________________________________
RE: more mainsleeze spam
Posted by "Randal, Phil" <pr...@herefordshire.gov.uk>.
We're seeing increasing amounts of that here.
I too think that it is sold-on "marketing lists".
Some of the spams mention "partner organisations" in their excuse for
spamming disclaimer at the bottom of the email.
I once had an interesting email discussion with a spammer who'd bought a
mailing list. He could/would not accept that what he was doing was in
any way unethical. Unfortunately for him, and many other
mass-marketers, I take a strict line on unsolicited bulk mailings.
We all need to adopt a new post-telephone maxim: "don't email us, we'll
Google you" .
Cheers,
Phil
--
Phil Randal | Networks Engineer
Herefordshire Council | Deputy Chief Executive's Office | I.C.T.
Services Division
Thorn Office Centre, Rotherwas, Hereford, HR2 6JT
Tel: 01432 260160
email: prandal@herefordshire.gov.uk
Any opinion expressed in this e-mail or any attached files are those of
the individual and not necessarily those of Herefordshire Council.
This e-mail and any attached files are confidential and intended solely
for the use of the addressee. This communication may contain material
protected by law from being passed on. If you are not the intended
recipient and have received this e-mail in error, you are advised that
any use, dissemination, forwarding, printing or copying of this e-mail
is strictly prohibited. If you have received this e-mail in error please
contact the sender immediately and destroy all copies of it.
-----Original Message-----
From: Charles Gregory [mailto:cgregory@hwcn.org]
Sent: 18 June 2009 19:36
To: SpamAssassin Users List
Subject: Re: more mainsleeze spam
On Thu, 18 Jun 2009, Michael Scheidell wrote:
> What are you seeing? more main-sleaze spam, directly targeting your
> company/vertical market or clients? or aren't you seeing much of
this?
We aren't overwhelmed with it, but now that you mention it, I've been
seeing a slow steady trickle of (technically non-spam) direct mail ads
to just my main address, but none of my users. The mail is generally
from a relatively local (within 100km) legitimate company with a passing
relevance to my business.
All of them contain opt-out instructions, but the varition of the
instructions and links make it look like genuine, sincere opt-out, and
not a spammers 'confirmation tool'. The feeling I get is that someone
has harvested a community services directory and sold it as a 'mailng
list'
to these companies.
And as you noted, it's almost impossible to detect them as spam.
Fortunately there are very few of them.... :)
- Charles
Re: more mainsleeze spam
Posted by Charles Gregory <cg...@hwcn.org>.
On Thu, 18 Jun 2009, Michael Scheidell wrote:
> What are you seeing? more main-sleaze spam, directly targeting your
> company/vertical market or clients? or aren't you seeing much of this?
We aren't overwhelmed with it, but now that you mention it, I've been
seeing a slow steady trickle of (technically non-spam) direct mail ads to
just my main address, but none of my users. The mail is generally from a
relatively local (within 100km) legitimate company with a passing
relevance to my business.
All of them contain opt-out instructions, but the varition of the
instructions and links make it look like genuine, sincere opt-out, and
not a spammers 'confirmation tool'. The feeling I get is that someone has
harvested a community services directory and sold it as a 'mailng list'
to these companies.
And as you noted, it's almost impossible to detect them as spam.
Fortunately there are very few of them.... :)
- Charles
Re: more mainsleeze spam
Posted by "richard@buzzhost.co.uk" <ri...@buzzhost.co.uk>.
On Thu, 2009-06-18 at 14:04 -0400, Michael Scheidell wrote:
> main sleaze, as in spam from larger, established, 'legit' companies. I
> am seeing a 20% increase in spam that doesn't trigger any of the zombie,
> forged, gappy or dialup list rules. Neither are they triggering SARES
> or SOUGHT rules.
>
> Looks like with the global downturn, many companies are turning to
> 'free' email marketing services to not only cut down on costs of
> marketing, but to more quickly get the message out. Many more third
> party email marketing companies are allowing questionable mailing lists
> and are opting to keep the money and client rather then enforce their
> posted terms of service.
>
> Traditional outbound marketing would require people to make cold calls,
> postcards or mailers send via snail mail. To reach 10,000 people via
> cold call would take 100 people 10 days (well, they would 'reach' 1% of
> them).
>
> Postcards, US third class could take three weeks and cost around $1.00 each.
>
> Main sleaze: as in DKIM SIGNED, NOT FORGED, SPF RECORDS MATCH, some
> with and some without knowledge and adherence to the US Federal CAN-SPAM
> laws.
>
> Traditional SA methods of looking for forged headers, zombies, and
> dialup networks doesn't help much. Neither does Bayesian filtering
> since most of this new main sleaze spam is targeting the customers
> vertical market anyway. Hardly any 'zombie/forged/trojan' originated
> email ever gets past. These are actually very easy to identify.
>
> Some blacklists and reputation filters help, but this is reactive, after
> the fact, and usually after the company in question has finished their
> spam runs. These emails are not using any evasion tricks, and are
> usually directly send to one contact at a time with full username/email
> address.
>
> (Even had one yesterday from a competitor in the anti-spam market:
> spammed us trying to sell their anti-virus client software :-).
>
> Yes, our marketing and sales people beat us up about using these above
> methods in our marketing, and even uploaded a 'questionable' list of
> email addresses to one of our listservers. The temptation is great to
> (ab)use email in this fashion.
>
> Maybe I am stuck in 1994 when (most) people respected the net. Maybe I
> react badly when one of these main-sleaze emails makes it past our
> filters, but the good news is that they help us identify third party
> email marketing companies that aren't careful about their clients.
>
> What are you seeing? more main-sleaze spam, directly targeting your
> company/ vertical market or clients? or aren't you seeing much of this?
Let me introduce you to the Barracuda White List & emailreg.org..... Oh.
I see you may have already met them :-)
RE: more mainsleeze spam
Posted by "Randal, Phil" <pr...@herefordshire.gov.uk>.
Cedric Knight wrote:
> (b) are from UK-based registered companies and ostensibly directed to
> other businesses in the UK. Many are for worthless sales training
> webinars - I don't know if they teach more people how to send lots of
> spam email. An anonymous benefactor posts a useful monthly list of
> spammers and their hosts called "UK spammers activity report June
> 2009"
> on news:news.admin.net-abuse.email, usually leading with the
> notoriously annoying and stupid Communicado/Bitesize/Britain in
> Business. The list can be used to block the ranges (often /24) used
> by the spammers.
>
> What is notable from that list is that most IP addresses aren't in
> any BL, except sometimes APEWS and BRBL, probably because BLs have
> few spamtrap addresses that the spammer would want to add - there may
> be some human intervention to verify that target domains are real
> users (although of course you can't really send junk in bulk unless
> it is
> automated.)
>
> I guess these aren't quite as "vertical" as you describe, but there
> is often some attempt at targeting the spam - sometimes it's clear
> the spammer has included all email addresses from a web page that
> mentions, say, a particular town or industry. My understanding of
> mainsleaze is that it comes from companies you might want to buy
> something from until you get their spam - what I'm describing isn't
> quite like that and often operates from a PO Box/accommodation
> address. There are also, as you mention, often third-party mailers
> that may still even be in Habeas or similar cleanlists, although they
> increasingly become infiltrated, then dominated, by clients who abuse
> the network.
The UK spammers list is interesting, thanks for that.
At the bottom was
202.71.129.68 [a] hmrcpayrollnewsorg.info [!], hmrcpayrollorg.info
which reminded me of this resource published by the HMRC, which might
not be widely known to SA users:
http://www.hmrc.gov.uk/security/fraud-attempts.htm
Or, for easy copy/paste into your configs,
------------ cut here ----------------
# following listed in http://www.hmrc.gov.uk/security/fraud-attempts.htm
blacklist_from successful@gov.uk
blacklist_from customer.office@hmrc.customsoffice.gov.uk
blacklist_from tax-service@hmrc.customs.gov.uk
blacklist_from notify2@hrms.co.uk
blacklist_from refundtax@hmrc.gov.co.uk
blacklist_from TaxRefund@hmrc.gov.uk
blacklist_from service@hmrc.gsi.gov.uk
blacklist_from claims@hmrc.direct.gov.uk
blacklist_from notice@hmrc.gov.uk
blacklist_from hmrc@hmrc.gov.uk
blacklist_from admin@hmrc.gsi.gov.uk
blacklist_from info@hmrc.gsi.gov.uk
blacklist_from no-reply@hmrc.gsi.gov.uk
blacklist_from refund@hmrc.gov.uk
blacklist_from Refound@hmrc.gov.uk
blacklist_from IRS@hmrc.gov.uk
blacklist_from services@hmrc.gsi.gov.uk
blacklist_from service@HMRC.co.uk
Cheers,
Phil
--
Phil Randal | Networks Engineer
Herefordshire Council | Deputy Chief Executive's Office | I.C.T.
Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT
Tel: 01432 260160
email: prandal@herefordshire.gov.uk
Any opinion expressed in this e-mail or any attached files are those of
the individual and not necessarily those of Herefordshire Council.
This e-mail and any attached files are confidential and intended solely
for the use of the addressee. This communication may contain material
protected by law from being passed on. If you are not the intended
recipient and have received this e-mail in error, you are advised that
any use, dissemination, forwarding, printing or copying of this e-mail
is strictly prohibited. If you have received this e-mail in error
please contact the sender immediately and destroy all copies of it.
Re: more mainsleeze spam
Posted by Michael Scheidell <sc...@secnap.net>.
Cedric Knight wrote:
>
>
> (1) Report to SpamCop and DCC/Pyzor.
>
>
ditto, and better, since we use the commercial version of DCC, it also
include a reputation score.
DCC reputation score is really nice, since if the ip address does lots
of spamming, you get a hit on it even if 'this' zero day spam doesn't.
sa reporting with DCC reputation code adds (n++) to the score.
example, your server ip:
http://www.rhyolite.com/cgi-bin/reps.cgi?tgt=217.72.179.5
pretty good reputation, only 29% of the email originating is considered
'bulk'
(DCC hint: bulk is not spam!), second DCC hint: make sure you whitelist
your own ip's so you don't get a 'bulk' score!
anything over 20% takes 30 days to clear out.
also, have REAL spamcop reporting address in local.cf
> In short, I think more anti-spam activists are needed.
>
>
been there, done that, got the tee shirts. have had spammers come into
my office with weapons in the past because I got them cancelled.
Still have a bunch of 'scheidell is a nazi' web pages up complaining
about be going all the way back to '94 (thats 1994 to all of your pre
y2k people :-)
> CK
>
--
Michael Scheidell, CTO
Phone: 561-999-5000, x 1259
> *| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot Company Award Winner, World Executive Alliance
* Five-Star Partner Program 2009, VARBusiness
* Best Anti-Spam Product 2008, Network Products Guide
* King of Spam Filters, SC Magazine 2008
_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.secnap.com/products/spammertrap/
_________________________________________________________________________
Re: more mainsleeze spam
Posted by Cedric Knight <ce...@gn.apc.org>.
Michael Scheidell wrote:
> Main sleaze: as in DKIM SIGNED, NOT FORGED, SPF RECORDS MATCH, some
> with and some without knowledge and adherence to the US Federal CAN-SPAM
> laws.
> Maybe I am stuck in 1994 when (most) people respected the net. Maybe I
> react badly when one of these main-sleaze emails makes it past our
> filters, but the good news is that they help us identify third party
> email marketing companies that aren't careful about their clients.
I see similar things, and it annoys me quite a bit too. In Europe, the
legal situation is somewhat different, as the Privacy & Electronic
Communications Regulations (PECR) outlaw sending unsolicited email to
individuals. As a result, what I tend to see and get complaints about
is email from valid domains with proper rDNS and SPF which either:
(a) advertise generic scams to consumers such as draws for shopping
vouchers in UK stores or and recently loans and insurance comparison,
which come from the USA with a superficial compliance with "CANSPAM".
Notably, the postal address identifying the organisation (either in the
US or an accommodation address/mailbox supposedly in the UK such as "56
Gloucester Road #215") is presented as an image. The servers are rented
from US-based companies. I have some meta rules based on technical
details that help quarantine most of the crap.
(b) are from UK-based registered companies and ostensibly directed to
other businesses in the UK. Many are for worthless sales training
webinars - I don't know if they teach more people how to send lots of
spam email. An anonymous benefactor posts a useful monthly list of
spammers and their hosts called "UK spammers activity report June 2009"
on news:news.admin.net-abuse.email, usually leading with the notoriously
annoying and stupid Communicado/Bitesize/Britain in Business. The list
can be used to block the ranges (often /24) used by the spammers.
What is notable from that list is that most IP addresses aren't in any
BL, except sometimes APEWS and BRBL, probably because BLs have few
spamtrap addresses that the spammer would want to add - there may be
some human intervention to verify that target domains are real users
(although of course you can't really send junk in bulk unless it is
automated.)
I guess these aren't quite as "vertical" as you describe, but there is
often some attempt at targeting the spam - sometimes it's clear the
spammer has included all email addresses from a web page that mentions,
say, a particular town or industry. My understanding of mainsleaze is
that it comes from companies you might want to buy something from until
you get their spam - what I'm describing isn't quite like that and often
operates from a PO Box/accommodation address. There are also, as you
mention, often third-party mailers that may still even be in Habeas or
similar cleanlists, although they increasingly become infiltrated, then
dominated, by clients who abuse the network.
Anyway, here are some suggestions to deal with mainsleaze:
(1) Report to SpamCop and DCC/Pyzor.
(2) Locate the upstream colocation provider (or mailing list provider)
and ask them to enforce their AUP and the maximum contractual penalty.
One or two hosts unfortunately are so negligent that it might be
necessary to go to the backbone provider (not that I've ever done that).
(3) More people should consider legal action based on PECR and improper
processing of personal data without consent. There have been many cases
here in the UK where a few hundred pounds sterling have been awarded by
a small claims court, but the case should be properly prepared - e.g.
http://www.steveroot.co.uk/2008/02/spam-wars-the-s.html. I also wonder
why spam, being (often explicitly) unauthorised use of a receiving
server, cannot be prosecuted under anti-cracker legislation.
(4) Contact any postal mailbox provider and again ask them to enforce
ToS and penalty.
(5) Possibly most effective? If the spam contains a free or cheap sales
number, ring, ask to speak to the director (the name is usually a matter
of public record), and ask why they are wasting people's time (and
bandwidth, and CPU) with UBE. If they offer to unsubscribe your
address, try to explain the point is that it's an abuse of the network
and they shouldn't have sent anything in the first place: if everyone
thought it was acceptable to send opt-out spam, email would become
unusable. The objective is simply to get an apology, or some indication
that they are not complete moral retards.
In short, I think more anti-spam activists are needed.
CK